is there any way to set "allowed_origins" for pusher service
Now anyone that know my "app_key" can connect to my socket server in pusher.com "app_key" is in socket request address in the browser console so its not secure !
That wouldn't make it more secure. It's probably why Pusher doesn't have a feature like that. A malicious actor could still easily send arbitrary header from any server and subscribe to a channel.
If you are concerned about who can subscribe to a channel (e.g., you are broadcasting sensitive messages), you must use private channels.